Splunk Search

Hi, I am facing problem with multiple subqueries in timechart. it is not showing the value for _time field.

toabhishek16
New Member

Query "index=idx1 sourcetype=src1 sender="xyz" | timechart count as res1" showing results properly, and

Query "index=idx1 sourcetype=src1 sender="abc" | timechart count as res2" not showing any result.

when I am trying to combine both the queries as below:
index=idx1 sourcetype=src1 sender="xyz" | timechart count as res1 | appendcols [search index=idx1 sourcetype=src1 sender="abc" | timechart count as res2] | fillnull res1, res2

it is giving result, but no value for _time field .

how I can get values for _time field.

pls help me....

0 Karma

ltrand
Contributor

Joined Query
"index=idx1 sourcetype=src1 sender="xyz" OR sender="abc" | timechart count by sender

This is significantly more efficent than the options above. It makes a single pass in the index and sourcetype to pull the data and populates the chart. Before you have to query the same data twice to pull information. Then you have to join the two results before charting.

somesoni2
Revered Legend

Try something like this

index= idx1 sourcetype=src1 sender="abc" OR sender="xyz" | timechart count(eval(sender="abc") as res1 count(eval(sender="xyz") as res2

linu1988
Champion

Hello,
Rather than appending the result

just do the below

index=idx1 sourcetype=src1 OR sourcetype=src2|timechart count by sourcetype

Thanks,
L

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...